fix: add extra check to validate org id, and not send requests that w…

…ill fail in the api-gateway
snyk · Oct 26, 2023 · 8c0a3b9 · 8c0a3b9
1 parent 38352a9
commit 8c0a3b9
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/src/constants.ts b/src/constants.ts
@@ -15,6 +15,7 @@ export const UPLOAD_CONCURRENCY = 2;
 export const POLLING_INTERVAL = 500;
 export const MAX_RETRY_ATTEMPTS = 10; // Request retries on network errors
 export const REQUEST_RETRY_DELAY = 5 * 1000; // delay between retries in milliseconds
+export const ORG_ID_REGEXP = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 
 export const IGNORES_DEFAULT = [`**/${GIT_FILENAME}/**`];
 

diff --git a/src/utils/httpUtils.ts b/src/utils/httpUtils.ts
@@ -1,7 +1,9 @@
+import { ORG_ID_REGEXP } from '../constants';
+
 export function getURL(baseURL: string, path: string, orgId?: string): string {
   if (routeToGateway(baseURL)) {
-    if (!orgId) {
-      throw new Error('Org is required for this operation');
+    if (!isValidOrg(orgId)) {
+      throw new Error('A valid Org id is required for this operation');
     }
     return `${baseURL}/hidden/orgs/${orgId}/code${path}`;
   }
@@ -11,3 +13,7 @@ export function getURL(baseURL: string, path: string, orgId?: string): string {
 function routeToGateway(baseURL: string): boolean {
   return baseURL.includes('snykgov.io');
 }
+
+function isValidOrg(orgId?: string): boolean {
+  return orgId !== undefined && ORG_ID_REGEXP.test(orgId);
+}
diff --git a/tests/httpUtils.spec.ts b/tests/httpUtils.spec.ts
@@ -13,7 +13,7 @@ describe('getURL', () => {
   it('should return base + org routing + path if fedramp', () => {
     const base = 'api.snykgov.io';
     const path = '/analysis';
-    const orgId = '1-2-3-4';
+    const orgId = '12345678-1234-1234-1234-1234567890ab';
 
     const result = getURL(base, path, orgId);
 
@@ -24,6 +24,14 @@ describe('getURL', () => {
     const base = 'api.snykgov.io';
     const path = '/analysis';
 
-    expect(() => getURL(base, path)).toThrowError('Org is required for this operation');
+    expect(() => getURL(base, path)).toThrowError('A valid Org id is required for this operation');
+  });
+
+  it('should throw an error if fedramp and org is invalid', () => {
+    const base = 'api.snykgov.io';
+    const path = '/analysis';
+    const orgId = '1-2-3-4';
+
+    expect(() => getURL(base, path, orgId)).toThrowError('A valid Org id is required for this operation');
   });
 });